Oracle® Identity Management User Reference
10g Release 2 (10.1.2) B15883-01 |
|
Previous |
Next |
During installation, the Oracle Internet Directory Configuration Assistant (oidca
) configures Oracle Internet Directory. Once an installation has been completed, you can use it to:
Create, upgrade, or delete an Oracle Context.
Convert an Oracle Context to an Oracle Identity Management realm.
Configure the ldap.ora
file that is used to discover the directory server in the environment.
Use the Oracle Internet Directory Configuration Assistant with Enterprise User Security and Oracle Net Services under the following conditions:
Table 2-1 Conditions for Using Oracle Internet Directory Configuration Assistant for Specific Database Components
Component | Conditions |
---|---|
Enterprise User Security |
Enterprise User Security works only with Oracle Identity Management realms created in the 9.0.4 or later release of Oracle Internet Directory. If you have Oracle Contexts created in prior releases, then you must use the Oracle Internet Directory Configuration Assistant to convert them to Oracle Identity Management realms. Use Oracle Internet Directory Configuration Assistant when creating or updating the |
Oracle Net Services |
Use Oracle Internet Directory Configuration Assistant when:
|
oidca oidhost=hostname {nonsslport=port_number | sslport=port_number} dn=binddn pwd=bindpwd {{mode=CREATECTX | UPGRADECTX | DELETECTX | CTXTOIMR contextdn=oraclecontextdn} | {mode=LDAPORA adminctx=admincontextdn dirtype=OID | AD [-update]}} | {propfile=filename}
oidhost=hostname
Required. The host name of the Oracle Internet Directory server. If not specified, then the default of localhost is used.
nonsslport=port_number | sslport=port_number
Required. The port number used to connect to the Oracle Internet Directory server.
To connect to the directory in non-SSL mode, supply the unsecure LDAP port with the nonsslport argument (the default is 389).
To connect to the directory in SSL mode, supply the secure LDAP port with the sslport argument (the default is 636).
dn=binddn
Required. The DN of the Oracle Internet Directory user needed to bind to the directory (for example, cn=orcladmin
).
pwd=bindpw
Required. The user password needed to bind to the directory.
mode=CREATECTX | UPGRADECTX | DELETECTX | CTXTOIMR | LDAPORA
Required. Specifies the operation to perform. The choices are:
CREATECTX
creates a new Oracle Context under the given DN.
UPGRADECTX
upgrades the Oracle Context in the given DN. You cannot upgrade Oracle Context instances that belong to a realm.
DELETECTX
deletes an Oracle Context from the given DN.
CTXTOIMR
converts an Oracle Context to an Oracle Identity Management realm.
LDAPORA
configures the ldap.ora file that is used to discover the Oracle Internet Directory server in the environment.
contextdn=oraclecontextdn
Required when the mode argument equals CREATECTX, UPGRADECTX, DELETECTX, or CTXTOIMR. Specifies the DN under which the Oracle Context will be created, upgraded, deleted, or converted to an Oracle Identity Management realm.
adminctx=admincontextdn
Required when the mode argument equals LDAPORA. The default administrative context DN. For example, dn=company, dc=com
.
dirtype=OID | AD
Required when the mode argument equals LDAPORA. The type of directory.
-update
Optional flag used when the mode
argument equals LDAPORA
. Use -update
to overwrite an existing ldap.ora
file. If not given, a new ldap.ora
file will be created. If the ldap.ora
file exists and the -update
argument is not specified, then the Assistant exits with the message "ldap.ora exists".
propfile=filename
Instead of specifying the mode
argument and its associated contextdn
, adminctx
, and dirtype
arguments on the command-line, you can specify them in a properties file instead. Specify the full path and file name of the file containing these arguments.
Using the Oracle Internet Directory Configuration Assistant command-line tool, you can perform the following tasks:
The following example shows how to create a new Oracle Context under the given context DN:
Example:
oidca oidhost=host.company.com nonsslport=389 dn=cn=orcladmin pwd=password mode=CREATECTX contextdn=dc=company,dc=com
The context DN must exist in the directory and have the format of dc=
your_company
,dc=com
. A DN with the format of cn=oraclecontext,dc=
your_company
,dc=com
must not exist in the directory.
When creating an Oracle Context, Oracle Internet Directory Configuration Assistant does the following:
It verifies that the contextdn
has valid DN syntax.
Verifies if OracleContext
exists. If OracleContext
does not exist, then Oracle Internet Directory Configuration Assistant creates it under the given context DN.
The following example shows how to upgrade an existing Oracle Context under the given context DN:
Example:
oidca oidhost=host.company.com nonsslport=389 dn=cn=orcladmin pwd=password mode=UPGRADECTX contextdn=cn=oraclecontext,dc=company,dc=com
The context DN must exist in the directory, and can have either the format of dc=
your_company
,dc=com
or the format of cn=oraclecontext,dc=
your_company
,dc=com
. The given context DN must contain an OracleContext
. The OracleContext
cannot belong to a realm.
When upgrading an Oracle Context, Oracle Internet Directory Configuration Assistant does the following:
It verifies that the context DN has a valid DN syntax and that OracleContext
exists in Oracle Internet Directory. The Assistant cannot upgrade a root OracleContext
explicitly. If there is no root OracleContext
, then the Assistant sends an error message.
It verifies if the OracleContext
already belongs to an Oracle Identity Management realm. You cannot upgrade OracleContext
instances that belong to a realm.
If OracleContext
belongs to a realm, then Oracle Internet Directory Configuration Assistant exits with the appropriate message.
It verifies if the OracleContext
is up-to-date.
If the OracleContext
is up-to-date, then the Assistant exits with the message "Oracle Context already exists and is up to date."
If the OracleContext
is not up-to-date, then the Assistant upgrades the OracleContext
under this DN.
The following example shows how to delete an existing Oracle Context under the given context DN:
Example:
oidca oidhost=host.company.com nonsslport=389 dn=cn=orcladmin pwd=password mode=DELETECTX contextdn=cn=oraclecontext,dc=company,dc=com
The context DN must exist in the directory, and can have either the format of dc=
your_company
,dc=com
or the format of cn=oraclecontext,dc=
your_company
,dc=com
. The given context DN must contain an OracleContext
. The OracleContext
cannot belong to a realm.
When deleting an Oracle Context, Oracle Internet Directory Configuration Assistant does the following:
It verifies that the context DN has a valid DN syntax and that OracleContext
exists in Oracle Internet Directory.
It verifies if the OracleContext
already belongs to an Oracle Identity Management realm. You cannot delete OracleContext
instances that belong to a realm.
If OracleContext
belongs to a realm, then Oracle Internet Directory Configuration Assistant exits with the appropriate message.
If the OracleContext
does not belong to a realm, then Oracle Internet Directory Configuration Assistant deletes it.
Oracle Database 10g entries must be stored in Oracle Internet Directory Release 9.0.4 or later. Moreover, Enterprise User Security, a feature of Oracle Database 10g, requires a Release 9.0.4 or later version of an Oracle Identity Management realm.
The following example shows how to convert an existing Oracle Context to an Oracle Identity Management realm:
Example:
oidca oidhost=host.company.com nonsslport=389 dn=cn=orcladmin pwd=password mode=CTXTOIMR contextdn=cn=oraclecontext,dc=company,dc=com
The context DN must exist in the directory, and can have either the format of dc=
your_company
,dc=com
or the format of cn=oraclecontext,dc=
your_company
,dc=com
. The given context DN must contain an OracleContext
. The OracleContext
cannot already belong to a realm.
When converting an Oracle Context to an Oracle Identity Management realm, Oracle Internet Directory Configuration Assistant does the following:
It verifies that the context DN has a valid DN syntax and that OracleContext
exists in Oracle Internet Directory.
It verifies if the OracleContext
already belongs to an Oracle Identity Management realm. You cannot convert OracleContext
instances that already belong to a realm.
If the OracleContext
does not belong to a realm, then the Assistant converts the OracleContext to an Oracle Identity Management realm.
Note:
|
The following example shows how to configure anldap.ora
file by overwriting the existing ldap.ora
file:
Example:
oidca oidhost=host.company.com nonsslport=389 dn=cn=orcladmin pwd=password mode=LDAPORA admincontext=dc=company,dc=com dirtype=OID -update
When configuring the ldap.ora
file, Oracle Internet Directory Configuration Assistant does the following:
Checks for the ldap.ora
file location.
If ldap.ora
exists and the -update
flag is not specified, then the Assistant exits with the message "ldap.ora exists".
If ldap.ora
exists and the -update
flag is specified, then the Assistant updates the existing ldap.ora
file.
If ldap.ora
does not exist, then the assistant creates a new ldap.ora
file in a location in the following order:
LDAP_ADMIN
$
ORACLE_HOME
/ldap/admin